I'm trying to work out what the optimal firewall implementation would be if I could ever rip out our firewalls and start again. See the diagram below. The purpose of my question here is what access to inside and outside zones should all these different types of servers have?
Diagram: https://ibb.co/kNFMNJ
So far I've actually decided that there would be absolutely no permit statements going from any of the server side zones to the inside or outside zones (with the exception of the WSUS update servers, which would require internet access) . The reason why, is because everything should be attempting to initiate traffic towards those servers, not the other way around. So I would only need to be building access policy FROM, INSIDE and OUTSIDE zones for limited access towards those servers. I would also obviously build a policy for communication between the zones.
But I've not really had the luxury of starting a firewall area like this from scratch for a DC. So would this be the correct thinking, in regards to my idea between servers not needing permit rules to inside and outside?
No comments:
Post a Comment